search

multiOTP / multiotp

multiOTP open source strong two factor authentication PHP library, OATH certified, with TOTP, HOTP, Mobile-OTP, YubiKey, SMS, QRcode provisioning, etc.
http://www.multiOTP.net/
GNU Lesser General Public License v3.0
359 stars 76 forks source link

error 99 for all users #197

Closed Tikkoneus closed 4 weeks ago

Tikkoneus commented 1 month ago

Hello! I'm trying to use the "local only" set-up with TOTP. I installed the Windows Credential Provider, created a user, and tried to authenticate. I get error 99 "Authentication failed (and other possible unknown errors)" for all users. I get the same message when I try to verify or resync. I tried creating the users with "-create user TOTP pin 0 6 30" and also with "-createga b32_seed" and get the same error. I've confirmed that the TOTP token I'm entering is correct as the time is properly synchronized on the device generating the token and the multiotp host. I can also generate identical tokens from multiple implementations of the TOTP rfc, so I think there's something I've configured wrong about multiOTP causing it not to accept the token. Any ideas?

multiOTP commented 1 month ago

Hello, After you have created a new user, did you see the user file in the multiotp\users folder ? What's happpening when you try to check the user authentication using the command line ?

Tikkoneus commented 1 month ago

Yes, in the "users" folder it creates "user.db" which contains reasonable values. Also multiotp.exe -user-info user shows correct values. Checking the user auth from the command line gives the same error 99.

Tikkoneus commented 1 month ago

I tried tracing through and I see a new process "multiotp -is-without-2fa" which fails with error 7 "user requires a token" as expected. Then another process starts which is php running the windows multiotp php script. It's this latter script which exits with status code 99.

multiOTP commented 1 month ago

Hello, How are you managing the prefix PIN ? Try also to add -debug -display-log when calling multiotp.exe in order to have more debug infromation.

Tikkoneus commented 1 month ago

Apologies, I created the user (I tried -create with all options manually, and -fastcreate, and also -createga) and then aftewards did -set prefix-pin=0 and confirmed with -user-info that the prefix pin is not required.

I did notice in the user.db that there's a pin field as well, generated by random. I tried doing "-set pin=" to set it to empty string, but I still got the same error 99 behavior.

My understanding was that if I use the totp algorithm when I create the user, and I'm not requiring a prefix pin, then I should be able to put the same base 32 seed into any other implementation of the totp rfc and get the correct token?

multiOTP commented 1 month ago

Hello, Could you please provide us the user.db file, we will have a look on it ? You can create a QRcode to be sure that the TOTP is well provisionned: multiotp -qrcode user png_file_name.png After using "-debug -display-log" options for authentication using the command line, what are the log messages ?

Tikkoneus commented 1 month ago 
multiotp-database-format-v3
algorithm=totp
attributed_tokens=
autolock_time=0
cache_level=1
cache_lifetime=15552000
challenge:=
challenge_validity=0
create_host=DESKTOP-*snip*2
create_time=1726958297
delta_time=0
desactivated=0
description=
dialin_ip_address=
dialin_ip_mask=
display_name=
email=
email_otp:=
email_validity=0
error_counter=2
group=
key_id=
language=
last_cached_credential=
last_error=1727057676
last_event=-1
last_failed_credential=e964eb444d5*snip*8ebe4cd4a
last_failed_time=1727057676
last_login=0
last_login_for_cache=0
last_success_credential=
last_sync_update=0
last_sync_update_host=
last_update=1727057676
last_update_host=DESKTOP-*snip*2
ldap_hash_cache:=
ldap_hash_validity=0
locked=0
multi_account=0
number_of_digits=6
private_id=
request_ldap_pwd=0
request_prefix_pin=0
scratch_passwords:=
seed_password:=
sms=
sms_otp:=
sms_validity=0
synchronized=0
synchronized_channel=
synchronized_dn=
synchronized_server=
synchronized_time=0
time_interval=30
token_algo_suite=HMAC-SHA1
token_seed:=UzpuYX1QNRQ*snip*NCp3dQ==
token_serial=
user=
user_last_login=0
user_pin:=
user_principal_name=
encryption_hash=99CCFC0D*snip*786A1
delayed_account=
delayed_time=0
delayed_finished=0
Tikkoneus commented 1 month ago 
>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 797752

LOG 2024-09-23 21:38:15 warning (user user) User Error: authentication failed (using Credential Provider) for user user

LOG 2024-09-23 21:38:15 warning (user user) User Info: *(authentication typed by the user: 797752)
99 *ERROR: Authentication failed (and other possible unknown errors)

LOG 2024-09-23 21:38:15 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
multiOTP Credential Provider mode
multiOTP commented 1 month ago

Hello,

It seems that the generated code is not the good one. In developer mode, set developer_mode=1, and call the same CLI line. Time on the server is synchronized ? In the correct time zone ? Time on the token generator is syncrhonized ? Did you make the provisioning with the QRcode generated ?

Timestamp in ini file : 1727057676 = GMT: Monday 23 September 2024 02:14:36 (posted at about 2024-09-24 01:35 GMT) Log display: 2024-09-23 21:38:15 (posted at about 2024-09-23 01:35 GMT)

In which timezone are you ?

Regards,

multiOTP commented 1 month ago

To check if it is a time zone issue, try to change the following entry in the multiotp.ini (temporary only): max_time_window=600 -> max_time_window=86400

Tikkoneus commented 1 month ago

The timezone listed in the multiotp.ini file is America\New_York. That matches the timezone set on the host running multiotp and on the device I'm using to generate tokens. What should it be set to?

I did try setting the max_time_window to 86400 and still got the same error.

Tikkoneus commented 1 month ago

When I try changing the timezone in the multiotp.ini I instead receive authentication failed (using Credential Provider) for user (time based token probably out of sync). If I restore the timezone to America/New_York then I get error 99. This leads me to believe it's not a timezone issue?

multiOTP commented 1 month ago

Hello, When you receive authentication failed (using Credential Provider) for user (time based token probably out of sync), that means the OTP code is correct and inside a time windows up to 10x bigger than it should be (if it's out of this 10x range, it don't check the windows timezone anymore and just says that the code is wrong). Is your host in the correct timezone ? Is your TOTP generator in the correct timezone ?

Tikkoneus commented 1 month ago

I'm really pulling my hair out on this one. There something really unpredictable (not reproducible) going on. I completely uninstalled multiotp credential provider and reinstalled it. The ONLY change I made was to modify the multiotp.ini file to have a max_time_window of 1,000,000. I got this:

>"c:\Program Files\multiOTP\multiotp.exe" -delete user
>"c:\Program Files\multiOTP\multiotp.exe" -create user totp <b32_seed> 0 6 30
>"c:\Program Files\multiOTP\multiotp.exe" -set user prefix-pin=0
>"c:\Program Files\multiOTP\multiotp.exe" -set user pin=
>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 938072
LOG 2024-09-28 19:34:22 notice (user user) User OK: User user successfully logged in (using Credential Provider) with TOTP token
0 *OK: Token accepted
multiOTP Credential Provider mode

>"c:\Program Files\multiOTP\multiotp.exe" -delete user
>"c:\Program Files\multiOTP\multiotp.exe" -create user totp <b32_seed> 0 6 30
>"c:\Program Files\multiOTP\multiotp.exe" -set user prefix-pin=0
>"c:\Program Files\multiOTP\multiotp.exe" -set user pin=
>"c:\Program Files\multiOTP\multiotp.exe" -debug -display-log -cp "user" 938072
LOG 2024-09-28 19:34:46 warning (user user) User Error: authentication failed (using Credential Provider) for user user
LOG 2024-09-28 19:34:46 warning (user user) User Info: *(authentication typed by the user: 543201)
99 *ERROR: Authentication failed (and other possible unknown errors)
LOG 2024-09-28 19:34:46 debug Debug Debug: *Attributes sent to the RADIUS server: Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
Reply-Message := "ERROR: Authentication failed (and other possible unknown errors)"
multiOTP Credential Provider mode

Creating a user from scratch and using a Google Authenticator (known-good) token worked the first time and failed the second time, using the same code in the same 30 second window. What other settings could be affecting this?

Tikkoneus commented 1 month ago

Leaving this here for posterity. The issue was the pin. Using create did not use the same algorithm as Google Authenticator (nor as the python lib I was using to generate the code). Using createga DID use the correct algorithm, but it only accepted one password out of many attempts ... because I used createga with a lowercase password and it just happened to generate the same token as the uppercase version of that password. Several places in the php there are strtoupper calls, but the createga function first calls base32_decode on the input and then passes that to bin2hex so case sensitivity very much matters.

multiOTP commented 4 weeks ago

Thanks for your feedback.